US5159634A - Cryptosystem for cellular telephony - Google Patents

Cryptosystem for cellular telephony Download PDF

Info

Publication number
US5159634A
US5159634A US07/759,309 US75930991A US5159634A US 5159634 A US5159634 A US 5159634A US 75930991 A US75930991 A US 75930991A US 5159634 A US5159634 A US 5159634A
Authority
US
United States
Prior art keywords
signals
signal
tet
setting
message
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Lifetime
Application number
US07/759,309
Inventor
James A. Reeds, III
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
AT&T Corp
Nokia of America Corp
Original Assignee
AT&T Bell Laboratories Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by AT&T Bell Laboratories Inc filed Critical AT&T Bell Laboratories Inc
Assigned to AMERICAN TELEPHONE AND TELEGRAPH COMPANY reassignment AMERICAN TELEPHONE AND TELEGRAPH COMPANY ASSIGNMENT OF ASSIGNORS INTEREST. Assignors: REEDS, JAMES A. III
Priority to US07/759,309 priority Critical patent/US5159634A/en
Priority to DE69230423T priority patent/DE69230423T2/en
Priority to EP92308000A priority patent/EP0532228B1/en
Priority to FI924090A priority patent/FI108590B/en
Priority to JP4267808A priority patent/JP2693348B2/en
Publication of US5159634A publication Critical patent/US5159634A/en
Application granted granted Critical
Assigned to LUCENT TECHNOLOGIES, INC. reassignment LUCENT TECHNOLOGIES, INC. ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: AT&T CORP.
Assigned to THE CHASE MANHATTAN BANK, AS COLLATERAL AGENT reassignment THE CHASE MANHATTAN BANK, AS COLLATERAL AGENT CONDITIONAL ASSIGNMENT OF AND SECURITY INTEREST IN PATENT RIGHTS Assignors: LUCENT TECHNOLOGIES INC. (DE CORPORATION)
Assigned to LUCENT TECHNOLOGIES INC. reassignment LUCENT TECHNOLOGIES INC. TERMINATION AND RELEASE OF SECURITY INTEREST IN PATENT RIGHTS Assignors: JPMORGAN CHASE BANK, N.A. (FORMERLY KNOWN AS THE CHASE MANHATTAN BANK), AS ADMINISTRATIVE AGENT
Anticipated expiration legal-status Critical
Expired - Lifetime legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3236Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04KSECRET COMMUNICATION; JAMMING OF COMMUNICATION
    • H04K1/00Secret communication
    • H04K1/02Secret communication by adding a second signal to make the desired signal unintelligible
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3271Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/80Wireless

Definitions

  • This invention relates to cryptology and more particularly to a cryptosystem for ensuring the privacy of communications in the context of cellular telephony.
  • each telephone set (fax unit, modem, etc) is physically connected to a unique port on a switch at a local central office.
  • the connection is through a dedicated wire, or through a designated channel on a dedicated wire.
  • the wire connection is installed by the service provider (who, typically, is the common carrier) and, therefore, the service provider can be reasonably sure that transmission on the channel arrives from the subscriber. By comparison, authentication of a subscriber in wireless telephony is less certain.
  • an interloper can inject himself into an established connection, overpower the customer's cellular telephone equipment by transmitting more power, and redirect the call to his or her purposes by sending certain control codes to the service provider.
  • piracy will succeed because the service provider has no mechanism for independently authenticating the identity of the caller at the time the connection is established and/or while the connection is active.
  • a classical challenge/response protocol may be used, based on a private key cryptographic algorithm.
  • a subscriber's mobile station is issued with a secret key which also known by the home system.
  • the home system composes a random challenge and applies a one-way function to the challenge concatenated with the subscribers key to obtain the corresponding response.
  • the challenge and response are supplied to the serving system, which issues the challenge to the mobile station.
  • the mobile station in turn replies with the response, which it calculates from the challenge and from its stored secret key.
  • the serving system compares the responses supplied by the home system and by the mobile station, and if they match, the mobile station is deemed authentic.
  • Public key cryptography provides another standard class of ways for solving authentication problems.
  • each mobile station would be provided with a "public key certificate" of identity, signed by the public key of the service provider, stating that the mobile station is a legitimate customer of the service provider.
  • each mobile would also be given secret data (private keys) which it can use, together with the certificate, to prove to third parties (such as the serving system) that it is a legitimate customer.
  • service provider could have a pair of RSA keys, (F,G), with F private and G public.
  • the service provider could supply each mobile with its own pair (D,E) of RSA keys, together with F(E) (the encryption of the mobile's public key E using the provider's private key F).
  • a mobile asserts its identity by sending (E,F(E)) to the serving system.
  • the serving system applies G to F(E) to obtain E.
  • the serving system generates a challenge X, encrypts it with the mobile's public key E to obtain E(X) which it sends to the mobile.
  • the mobile applies its private key D to E(X) to obtain X, which it sends back to the server in the clear as a response.
  • Needham-Schroeder Another technique is proposed by R. M. Needham and M. D. Schroeder in Using Encryption for Authentication in Large Computer Networks, Comm. of the ACM, Vol. 21, No. 12, 993-999 (December 1978).
  • AS trusted, party
  • the protocol is as follows: when party A wishes to communicate with party B, it sends to authentication server AS his own name, the name of party B and a transaction identifier. Server AS returns the name of party B, a session key, the transaction identifier and a message encrypted with B's key.
  • Party A receives the information, decrypts it, selects the portion that is encrypted with B's key and forwards that portion to party B.
  • Party B decrypts the received messages and finds in it the name of party A and the session key.
  • a last check is made by party B issuing a challenge to party A and party A replies, using the session key.
  • a match found at party B authenticates the identity of party A.
  • plaintext messages of variable length can be encrypted and decrypted easily on an 8-bit microcomputer.
  • the invention is a relatively secure, self-inverting, symmetric key cryptosystem that is comprised of three stages.
  • the first stage is an autokeyed encryption on the plaintext.
  • the second stage is a self-inverting cipher where the encryption key is derived from a portion of the message as encrypted by the first stage.
  • the third stage is a second autokeyed decryption that corresponds to the autokeyed encryption of the first stage.
  • FIG. 1 illustrates an arrangement of network providers and cellular radio provides interconnected for service to both stationary and mobile telephones and the like;
  • FIG. 2 depicts the process for directing the creation of a shared secret data field and the verification of same
  • FIG. 3 shows the elements that are concatenated and hashed to create the shared secret data
  • FIG. 4 shows the elements that are concatenated and hashed to create the verification sequence
  • FIG. 5 shows the elements that are concatenated and hashed to create the registration sequence when the mobile unit goes on the air
  • FIG. 6 shows the elements that are concatenated and hashed to create the call initiation sequence
  • FIG. 7 depicts the speech encryption and decryption process in a mobile unit
  • FIGS. 8 and 9 shows the elements that are concatenated and hashed to create the re-authentication sequence
  • FIG. 10 illustrates the three stage process for encrypting and decrypting selected control and data messages
  • FIG. 11 presents a block diagram of a mobile unit's hardware.
  • a mobile cellular telephone arrangement there are many mobile telephones, a much smaller number of cellular radio providers (with each provider having one or more base stations) and one or more switching network providers (common carriers).
  • the cellular radio providers and the common carriers combine to allow a cellular telephone subscriber to communicate with both cellular and non-cellular telephone subscriber.
  • This arrangement is depicted diagrammatically in FIG. 1, where common carrier I and common carrier II combine to form a switching network comprising switches 10-14.
  • Stationary units 20 and 21 are connected to switch 10, mobile units 22 and 23 are free to roam, and base stations 30-40 are connected to switches 10-14.
  • Base stations 30-34 belong to provider 1
  • base stations 35 and 36 belong to provider 2
  • base station 37 belongs to provider 4
  • base stations 38-40 belong to provider 3.
  • a base station is synonymous with a cell wherein one or more transmitters are found.
  • a collection of cells makes up a cellular geographic service area (CGSA) such as, for example, base stations 30, 31, and 32 in FIG. 1.
  • Each mobile unit has an electronic serial number (ESN) that is unique to that unit.
  • ESN electronic serial number
  • the ESN number is installed in the unit by the manufacturer, at the time the unit is built (for example, in a read-only-memory), and it is unalterable. It is accessible, however.
  • the service provider When a customer desires to establish a service account for a mobile unit that the customer owns or leases, the service provider assigns to the customer a phone number (MIN1 designation), an area code designation (MIN2 designation) and a "secret" (A-key).
  • the MIN1 and MIN2 designations are associated with a given CGSA of the provider, and all base stations in the FIG. 1 arrangement can identify the CGSA to which a particular MIN2 and MIN1 pair belongs.
  • the A-key is known only to the customer's equipment and to provider's CGSA processor (not explicityly shown in FIG. 1.
  • the CGSA processor maintains the unit's ESN, A-key, MIN1 and MIN2 designations and whatever other information the service provider may wish to have.
  • the customer's unit is initialized for service when the CGSA processor sends to the mobile unit a special random sequence (RANDSSD), and a directive to create a "shared secret data" (SSD) field.
  • RANDSSD special random sequence
  • SSD shared secret data
  • each base station broadcasts information to all units within its cell on some preassigned frequency channel (broadcast band). In addition, it maintains two way communications with each mobile unit over a mutually agreed, (temporarily) dedicated, channel.
  • the manner by which the base station and the mobile unit agree on the communications channel is unimportant to this invention, and hence it is not described in detail herein.
  • One approach may be, for example, for the mobile unit to scan all channels and select an empty one. It would then send to the base station its MIN2 and MIN1 designations (either in plaintext form or enciphered with a public key), permitting the base station to initiate an authentication process. Once authenticated communication is established, if necessary, the base station can direct the mobile station to switch to another channel.
  • an authentication process may be carried out a number of times throughout the conversation. Therefore, the authentication process employed should be relatively secure and simple to implement. To simplify the design and lower the implementation cost, both the mobile unit and the base station should use the same process.
  • a hashing function performs a many-to-one mapping which converts a "secret" to a signature.
  • the following describes one hashing function that is simple, fast, effective, and flexible. It is quite suitable for the authentication processes of this invention but, of course, other hashing functions can be used.
  • the Jumble process can create a "signature" of a block of d "secret” data words b(i), with the aid of a k-word key x(j), where d and k are integers.
  • the "signature” creation process is carried out on one data word at a time.
  • the words on which the Jumble process operates are 8 bits long (providing a range from 0 to 256), but any other word size can be employed.
  • the "secret” data block length is incorporated in the saw tooth function.
  • any string that is used for authentication can have a portion thereof used as a key for the above process.
  • the data words concatenated with the key can be considered to be the "authentication string.”
  • each word b(i), where 0 ⁇ i ⁇ d-1 is hashed individually, one at a time, which makes the hashing "in place”. No additional buffers are needed for the hashing process per se.
  • a new SSD field is generated in accordance with FIG. 3.
  • the mobile unit concatenates the ESN designation, the A-key, and the RANDSSD sequence to form an authentication string.
  • the authentication string is applied to Jumble block 101 (described above) which outputs the SSD field.
  • the SSD field comprises two subfields: the SSD-A subfield which is used to support authentication procedures, and the SSD-B subfield which is used to support voice privacy procedures and encryption of some signaling messages (described below). It may be noted that a larger number of SSD subfields can be created. If one needs a larger total number of bits, one needs only to start with a larger number of data bits. As will be appreciated from the disclosure below, that is not a challenging requirement.
  • the home CGSA processor knows the ESN and the A-key of the mobile unit to which the received MIN2 and MIN1 designations were assigned. It also knows the RANDSSD sequence that it sent. Therefore, the home CGSA processor is in position to duplicate the SSD field creation process of the mobile unit. By concatenating the RANDSSD signal with the ESN designation and the A-key, and with the above-described Jumble process, the CGSA processor creates a new SSD field and partitions it into SSD-A and SSD-B subfields. However, the SSD field created in the home CGSA processor must be verified.
  • verification of the created SSD field is initiated by the mobile unit.
  • the mobile unit generates a random challenge sequence (RANDBS sequence) in block 102 and sends it to the home CGSA processor through the serving base station.
  • RANDBS sequence random challenge sequence
  • the home CGSA processor concatenates the challenge RANDBS sequence, the ESN of the mobile unit, the MIN1 designation of the mobile unit, and the newly created SSD-A to form an authentication string which is applied to the Jumble process.
  • the Jumble process creates a hashed authentication signal AUTHBS which is sent to the mobile station.
  • the mobile station also combines the RANDBS sequence, its ESN designation, its MIN1 designation and the newly created SSD-A to form an authentication string that is applied to the Jumble process.
  • the mobile station compares the result of its Jumble process to the hashed authentication signal (AUTHBS) received from the home CGSA processor. If the comparison step (block 104) indicates a match, the mobile station sends a confirmation message to the home CGSA processor indicating the success of the update in the SSD field. Otherwise, the mobile station reports on the failure of the match comparison.
  • AUTHBS hashed authentication signal
  • the SSD field remains in force until the home CGSA processor directs the creation of a new SSD field. That can occur, for example, if there is reason to believe that the SSD field has been compromised. At such a time, the home CGSA processor sends another RANDSSD sequence to the mobile unit, and a directive to create a new SSD field.
  • each base station broadcasts various informational signals for the benefit of all of the mobile units in its cell.
  • one of the signals broadcast by the base station is a random or pseudorandom sequence (RAND sequence).
  • the RAND sequence is used by various authentication processes to randomize the signals that are created and sent by the mobile units.
  • the RAND sequence must be changed periodically to prevent record/playback attacks.
  • One approach for selecting the latency period of a RAND signal is to make it smaller than the expected duration of an average call. Consequently, a mobile unit, in general, is caused to use different RAND signals on successive calls.
  • the mobile unit As soon as the mobile unit enters a cell it registers itself with the base unit so that it can be authenticated, it can initiate calls, and the base station can direct calls to the mobile unit.
  • the mobile unit When the mobile unit registers with a serving base station, it sends to the serving base station its MIN1 and MIN2 designations and its ESN sequence.
  • an authentication process is carried out in the course of registering, and that process is depicted in FIG. 5.
  • the mobile unit receives the broadcast RAND sequence; concatenates the RAND sequence, the ESN sequence, the MIN1 designation and the SSD-A subfield to form an authentication string; and applies the authentication string to the Jumble process.
  • the hashed authentication string at the output of the Jumble process is sent to the serving base station together with the ESN sequence.
  • all or part of the RAND sequence used by the mobile unit is also sent to the serving base station, because the possibility exists that the RAND value has changed by the time the hashed authentication string reaches the base station.
  • the serving base station knows the RAND sequence because the base station created it.
  • the base station also knows the ESN and the MIN2 and MIN1 designations that the mobile unit identified itself with. But, on first registration, the serving base station does not know the SSD field of the mobile unit. It does know, however, the mobile unit's home CGSA processor (from the MIN1 and MIN2 designations) so the authentication proceeds as follows.
  • the serving base station sends to the home CGSA processor the MIN1 designation, the ESN sequence, the hashed authentication string that the mobile unit transmitted, and the RAND sequence that the mobile unit used to create the hashed authentication string.
  • the home CGSA processor From the mobile unit's MIN1 designation and ESN sequence the home CGSA processor knows the mobile unit's SSD-A subfield, so it proceeds to create an authentication string as described above and applies it to the Jumble process. If the hashed authentication string created by the home CGSA processor matches the hashed authentication string created in the mobile unit and supplied by the serving base station, then verification is deemed successful. In such a case, the home CGSA processor supplies the serving base station with the unit's SSD field. As an aside, to keep the ESN designation and the SSD field secure, the communication between the base stations and the CGSA processor is carried in encrypted form.
  • the serving base station possesses the ESN and the SSD field of the mobile unit, and subsequent authentication processes in that cell can proceed in the serving base station without reference to the home CGSA processor--except one. Whenever, for any reason, it is desirable to alter the SSD field, communication is effectively between the home CGSA processor and the mobile unit; and the serving base station serves only as a conduit for this communication. That is,
  • the home CGSA processor creates a RANDSSD sequence and alters the SSD field based on that RANDSSD sequence
  • the home CGSA processor supplies the serving base station with the RANDSSD sequence and the newly created SSD field,
  • the serving base station directs the mobile unit to alter its SSD field and provides the mobile unit with the RANDSSD sequence
  • the mobile unit alters the SSD field and sends a challenge to the serving base station
  • the serving base station creates the AUTHBS string (described above) and sends it to the mobile unit, and
  • the mobile unit verifies the AUTHBS string and informs the serving base station that both the mobile unit and the serving base station have the same SSD fields.
  • the mobile unit can initiate calls, in accordance with FIG. 6.
  • the call initiation sequence concatenates signals RAND, ESN, SSD-A and at least some of the called party's identification (phone) number (MIN3 in FIG. 6).
  • the concatenated signals are applied to the Jumble process to develop a hashed authentication sequence that can be verified by the serving base station.
  • the called party's identification number must also be transmitted in a manner that can be received by the base station (and, as before, perhaps a portion of the RAND signal), i.e., in plaintext.
  • the base station can process the call and make the connection to the called party.
  • the protocol for connecting to a mobile unit when it is a "called party" follows the registration protocol of FIG. 5. That is, the serving base station requests the called mobile station to send an authentication sequence created from the RAND sequence, ESN designation, MIN1 designation and SSD-A subfield. When authentication occurs, a path is set up between the base station and the called party mobile unit, for the latter to receive data originating from, and send data to, the mobile unit (or stationary unit) that originated the call.
  • the speech signal is encrypted by first converting it to digital form. This can be accomplished in any number of conventional ways, with or without compression, and with or without error correction codes.
  • the bits of the digital signals are divided into successive groups of K bits and each of the groups is encrypted. More specifically, in both the mobile unit and the base station the RAND sequence, the ESN and MIN1 designations, and the SSD-B subfield are concatenated and applied to the Jumble process. The Jumble process produces 2K bits and those bits are divided into groups A and B of K bits each. In the mobile unit group A is used for encrypting outgoing speech, and group B is used for decrypting incoming speech. Conversely in the base station, group A is used for decrypting incoming speech and group B is used for encrypting outgoing speech.
  • FIG. 7 depicts the speech encryption and decryption process.
  • a re-authentication process is initiated to confirm that the mobile unit which the base station believes is active, is, in fact, the mobile unit that was authorized to be active. This is accomplished by the base station requesting the mobile unit to send a hashed authentication sequence in accordance with FIG. 7. With each such request, the base station sends a special (RANDU) sequence.
  • the mobile unit creates the hashed authentication sequence by concatenating the RANDU sequence, the area code MIN2 designation of the mobile unit, the ESN designation, the MIN1 designation and the SSD-A designation.
  • the concatenated string is applied to the Jumble process, and the resulting hashed authentication string is sent to the base station.
  • the base station at this point, is in a position to verify that the hashed authentication string is valid.
  • the third security measure deals with ensuring the privacy of control messages.
  • various circumstances may arise that call for the transmission of control messages.
  • the control messages can significantly and adversely affect either the mobile station that originated the call or the base station. For that reason, it is desirable to encipher (reasonably well) some types of control messages sent while the conversation is in progress. Alternately, selected fields of selected message types may be encrypted. This includes "data" control messages such as credit card numbers, and call redefining control messages. This is accomplished with the Control Message Cryptosystem.
  • the Control Message Cryptosystem is a symmetric key cryptosystem that has the following properties:
  • the cryptographic key for CMC is an array, TBOX[z], of 256 bytes which is derived from a "secret” (e.g., SSD-B subfield) as follows:
  • CMC can be used to encrypt and decrypt control messages. Alternately, the key can be derived "on-the-fly" each time the key is used.
  • CMC has the capability to encipher variable length messages of two or more bytes. CMC's operation is self-inverting reciprocal or involutory. That is, precisely the same operations are applied to the ciphertext to yield plaintext as are applied to plaintext to yield ciphertext. Thus, a two-fold application of the CMC operations would leave the buffer contents unchanged.
  • CMC is comprised of three successive stages, each of which alters each byte string in the data buffer.
  • data buffer is d bytes long and each byte is designated by b(i), for i in the range 0 ⁇ i ⁇ d:
  • the first stage of CMC is as follows:
  • CMC's final stage is the decryption that is inverse of the first stage:
  • the three stage process employed to encrypt and decrypt selected control and data messages is illustrated in FIG. 10.
  • the first stage and the third stage are an autokey encryption and decryption, respectively.
  • An autokey system is a time-varying system where the output of the system is used to affect the subsequent output of the system.
  • FIG. 11 presents a block diagram of a mobile unit hardware. It comprises a control block 200 which includes the key pad of a cellular telephone, the hand set and the unit's power control switch. Control block 200 is connected to processor 210 which controls the workings of the mobile unit, such as converting speech signals to digital representation, incorporating error correction codes, encrypting the digital speech signal, decrypting incoming speech signals, forming and encrypting (as well as decrypting) various control messages, etc.
  • Block 210 is coupled to block 220 which comprises the bulk of the circuitry associated with transmission and reception of signals.
  • Blocks 200-220 are basically conventional blocks, performing the functions that are currently performed by commercial mobile telephone units (though the commercial units do not do encrypting and decrypting).
  • the apparatus of FIG. 8 also includes a block 240 which comprises a number of registers coupled to processor 210, and a "personality" module 230 that is also coupled to processor 210.
  • Module 230 may be part of the physical structure of a mobile telephone unit, or it may be a removable (and pluggable) module that is coupled to the mobile telephone unit through a socket interface. It may also be coupled to processor 210 through an electromagnetic path, or connection. Module 230 may be, for example, a "smart card”.
  • Module 230 comprises a Jumble processor 231 and a number of registers associated with processor 231. Alternately, in another preferred embodiment, only the A-Key is in the module 230. A number of advantages accrue from installing (and maintaining) the A-Key, and the MIN1 and MIN2 designations in the registers of module 230, rather than in the registers of block 240. It is also advantageous to store the developed SSD field in the registers of module 230. It is further advantageous include among the registers of module 230 any needed working registers for carrying out the processes of processor 231. By including these elements in module 230, the user may carry the module on his person to be used with different mobile units (e.g. "extension" mobile units) and more of the sensitive information is stored outside the module. Of course, mobile units may be produced with module 230 being an integral and permanent part of the unit. In such embodiments, Jumble processor 231 may be merged within processor 210. Block 240 stores the unit's ESN designation and the various RAND sequences that are received.

Abstract

A relatively secure, self-inverting, symmetric key cryptosystem designed for efficient implementation on an 8-bit microcomputer. The cryptosystem is especially well suited use in cellular telephony. The method of encryption is comprised of three stages: 1) an autokeyed encryption, 2) the use of a one-time pad encryption where the key is derived from a portion of the message as encrypted by the first stage, and 3) a second autokeyed decryption that is the inverse of the first.

Description

BACKGROUND OF THE INVENTION
This invention relates to cryptology and more particularly to a cryptosystem for ensuring the privacy of communications in the context of cellular telephony.
In conventional telephony each telephone set (fax unit, modem, etc) is physically connected to a unique port on a switch at a local central office. The connection is through a dedicated wire, or through a designated channel on a dedicated wire. The wire connection is installed by the service provider (who, typically, is the common carrier) and, therefore, the service provider can be reasonably sure that transmission on the channel arrives from the subscriber. By comparison, authentication of a subscriber in wireless telephony is less certain.
Under the current cellular telephony arrangement in the United States, when a cellular telephone subscriber places a call, his or her cellular telephone indicates to the service provider the identity of the caller for billing purposes. This information is not encrypted. If an interloper eavesdrops at the right time, he or she can obtain the subscriber's identification information. This includes the subscriber's phone number and the electronic serial number (ESN) of the subscriber's equipment. Thereafter, the interloper can program his or her cellular telephone to impersonate that bona fide subscriber to fraudulently obtain services. Alternately, an interloper can inject himself into an established connection, overpower the customer's cellular telephone equipment by transmitting more power, and redirect the call to his or her purposes by sending certain control codes to the service provider. Basically, such piracy will succeed because the service provider has no mechanism for independently authenticating the identity of the caller at the time the connection is established and/or while the connection is active.
Technology is available to permit an eavesdropper to automatically scan all of the cellular frequencies in a given cell for such identification information. Consequently, piracy of cellular telephone services is rampant. Also, the lack of enciphering of the speech signals lays bare to eavesdroppers the content of conversations. In short, there is a clear and present need for effective security measures in the cellular telephony art, and that suggests the use of cryptology for the purposes of ensuring authentication and privacy.
Several standard cryptographic methods exist for solving the general sort of authentication problem that exists in cellular telephony, but each turns out to have practical problems. First, a classical challenge/response protocol may be used, based on a private key cryptographic algorithm. In this approach, a subscriber's mobile station is issued with a secret key which also known by the home system. When a serving system wishes to authenticate a subscriber, it applies to the home system for a challenge and a response to use with the given subscriber. The home system composes a random challenge and applies a one-way function to the challenge concatenated with the subscribers key to obtain the corresponding response. The challenge and response are supplied to the serving system, which issues the challenge to the mobile station. The mobile station in turn replies with the response, which it calculates from the challenge and from its stored secret key. The serving system compares the responses supplied by the home system and by the mobile station, and if they match, the mobile station is deemed authentic.
The problem with this approach is that often the serving system is unable to contact the home system quickly enough to allow authentication of a call setup, or that the database software on the home system is unable to look up the subscriber's secret key and compose the challenge/response pair quickly enough. Network or software delays of a second or two would add that much dead time till the subscriber hears a dial tone after picking up the handset when placing a call, and longer delays (given the control networks and switching apparatus currently used by cellular providers) would be common. In the present milieu, such delays are unacceptable.
Public key cryptography provides another standard class of ways for solving authentication problems. Generally speaking, each mobile station would be provided with a "public key certificate" of identity, signed by the public key of the service provider, stating that the mobile station is a legitimate customer of the service provider. In addition, each mobile would also be given secret data (private keys) which it can use, together with the certificate, to prove to third parties (such as the serving system) that it is a legitimate customer.
For example, service provider could have a pair of RSA keys, (F,G), with F private and G public. The service provider could supply each mobile with its own pair (D,E) of RSA keys, together with F(E) (the encryption of the mobile's public key E using the provider's private key F). Then a mobile asserts its identity by sending (E,F(E)) to the serving system. The serving system applies G to F(E) to obtain E. The serving system generates a challenge X, encrypts it with the mobile's public key E to obtain E(X) which it sends to the mobile. The mobile applies its private key D to E(X) to obtain X, which it sends back to the server in the clear as a response.
Although some variations on this theme involve less computation or data transmission than others, no public key authentication scheme yet exists which is efficiently executable in less than a second's time on the sort of hardware currently used in cellular telephones. Even though network connectivity between the serving and home systems is not needed at the moment of authentication, as it is in the classical approach, the same time constraints which rule out the classical approach also rule out the public key approach.
Another technique is proposed by R. M. Needham and M. D. Schroeder in Using Encryption for Authentication in Large Computer Networks, Comm. of the ACM, Vol. 21, No. 12, 993-999 (December 1978). In brief, the Needham-Schroeder technique requires that a third, trusted, party (AS) should serve as an authentication server which distributes session keys to the prospective parties (A and B) who are attempting to establish secure communications. The protocol is as follows: when party A wishes to communicate with party B, it sends to authentication server AS his own name, the name of party B and a transaction identifier. Server AS returns the name of party B, a session key, the transaction identifier and a message encrypted with B's key. All that information is encrypted with A's key. Party A receives the information, decrypts it, selects the portion that is encrypted with B's key and forwards that portion to party B. Party B decrypts the received messages and finds in it the name of party A and the session key. A last check (to prevent "replays") is made by party B issuing a challenge to party A and party A replies, using the session key. A match found at party B authenticates the identity of party A.
SUMMARY OF THE INVENTION
In accordance with the invention, plaintext messages of variable length can be encrypted and decrypted easily on an 8-bit microcomputer. The invention is a relatively secure, self-inverting, symmetric key cryptosystem that is comprised of three stages. The first stage is an autokeyed encryption on the plaintext. The second stage is a self-inverting cipher where the encryption key is derived from a portion of the message as encrypted by the first stage. The third stage is a second autokeyed decryption that corresponds to the autokeyed encryption of the first stage.
BRIEF DESCRIPTION OF THE DRAWING
FIG. 1 illustrates an arrangement of network providers and cellular radio provides interconnected for service to both stationary and mobile telephones and the like;
FIG. 2 depicts the process for directing the creation of a shared secret data field and the verification of same;
FIG. 3 shows the elements that are concatenated and hashed to create the shared secret data;
FIG. 4 shows the elements that are concatenated and hashed to create the verification sequence;
FIG. 5 shows the elements that are concatenated and hashed to create the registration sequence when the mobile unit goes on the air;
FIG. 6 shows the elements that are concatenated and hashed to create the call initiation sequence;
FIG. 7 depicts the speech encryption and decryption process in a mobile unit;
FIGS. 8 and 9 shows the elements that are concatenated and hashed to create the re-authentication sequence;
FIG. 10 illustrates the three stage process for encrypting and decrypting selected control and data messages; and
FIG. 11 presents a block diagram of a mobile unit's hardware.
DETAILED DESCRIPTION
In a mobile cellular telephone arrangement there are many mobile telephones, a much smaller number of cellular radio providers (with each provider having one or more base stations) and one or more switching network providers (common carriers). The cellular radio providers and the common carriers combine to allow a cellular telephone subscriber to communicate with both cellular and non-cellular telephone subscriber. This arrangement is depicted diagrammatically in FIG. 1, where common carrier I and common carrier II combine to form a switching network comprising switches 10-14. Stationary units 20 and 21 are connected to switch 10, mobile units 22 and 23 are free to roam, and base stations 30-40 are connected to switches 10-14. Base stations 30-34 belong to provider 1, base stations 35 and 36 belong to provider 2, base station 37 belongs to provider 4, and base stations 38-40 belong to provider 3. For purposes of this disclosure, a base station is synonymous with a cell wherein one or more transmitters are found. A collection of cells makes up a cellular geographic service area (CGSA) such as, for example, base stations 30, 31, and 32 in FIG. 1.
Each mobile unit has an electronic serial number (ESN) that is unique to that unit. The ESN number is installed in the unit by the manufacturer, at the time the unit is built (for example, in a read-only-memory), and it is unalterable. It is accessible, however.
When a customer desires to establish a service account for a mobile unit that the customer owns or leases, the service provider assigns to the customer a phone number (MIN1 designation), an area code designation (MIN2 designation) and a "secret" (A-key). The MIN1 and MIN2 designations are associated with a given CGSA of the provider, and all base stations in the FIG. 1 arrangement can identify the CGSA to which a particular MIN2 and MIN1 pair belongs. The A-key is known only to the customer's equipment and to provider's CGSA processor (not explicityly shown in FIG. 1. The CGSA processor maintains the unit's ESN, A-key, MIN1 and MIN2 designations and whatever other information the service provider may wish to have.
With the MIN1 designation and the A-key installed, the customer's unit is initialized for service when the CGSA processor sends to the mobile unit a special random sequence (RANDSSD), and a directive to create a "shared secret data" (SSD) field. (The CGSA sends the RANDSSD and the SSD field generation directive through the base station of the cell where the mobile unit is present.) Creation of the SSD field follows the protocol described in FIG. 2.
As an aside, in the FIG. 1 arrangement each base station broadcasts information to all units within its cell on some preassigned frequency channel (broadcast band). In addition, it maintains two way communications with each mobile unit over a mutually agreed, (temporarily) dedicated, channel. The manner by which the base station and the mobile unit agree on the communications channel is unimportant to this invention, and hence it is not described in detail herein. One approach may be, for example, for the mobile unit to scan all channels and select an empty one. It would then send to the base station its MIN2 and MIN1 designations (either in plaintext form or enciphered with a public key), permitting the base station to initiate an authentication process. Once authenticated communication is established, if necessary, the base station can direct the mobile station to switch to another channel.
As described in greater detail hereinafter, in the course of establishing and maintaining a call on a mobile telephony system of this invention, an authentication process may be carried out a number of times throughout the conversation. Therefore, the authentication process employed should be relatively secure and simple to implement. To simplify the design and lower the implementation cost, both the mobile unit and the base station should use the same process.
Many authentication processes use a hashing function, or a one-way function, to implement the processes. A hashing function performs a many-to-one mapping which converts a "secret" to a signature. The following describes one hashing function that is simple, fast, effective, and flexible. It is quite suitable for the authentication processes of this invention but, of course, other hashing functions can be used.
THE JUMBLE PROCESS
The Jumble process can create a "signature" of a block of d "secret" data words b(i), with the aid of a k-word key x(j), where d and k are integers. The "signature" creation process is carried out on one data word at a time. For purposes of this description, the words on which the Jumble process operates are 8 bits long (providing a range from 0 to 256), but any other word size can be employed. The "secret" data block length is incorporated in the saw tooth function.
Sd (t)=t for 0≦t≦d-1
Sd (t)=2d-2-t for d≦t≦2d-3, and
Sd (t)=Sd (t+2d-2) for all t.
This function is used in the following process where, starting with z=0 and i=0, for successively increasing integer values of i in the range 0≦6d-5,
a) b(Sd (i)) is updated by:
b(S.sub.d (i))=b(S.sub.d (i))+x(i.sub.k)+SBOX(z) mod 256
where
ik is i modulo k, SBOX(z)=y+[y/2048]mod 256,
y=(z⊕16)(z+111)(z), [y/2048]is the integer portion of y divided by 2048, and ⊕ represents the bit-wise Exclusive-OR function; and
b) z is updated with: z=z+b(Sd (i)) mod 256.
It may be appreciated that in the process just described there is no real distinction between the data and the key. Therefore, any string that is used for authentication can have a portion thereof used as a key for the above process. Conversely, the data words concatenated with the key can be considered to be the "authentication string." It may also be noted that each word b(i), where 0≦i<d-1 is hashed individually, one at a time, which makes the hashing "in place". No additional buffers are needed for the hashing process per se.
The process just described can be easily carried out with a very basic conventional processor, since the only operations required are: shifting (to perform the division by 2048), truncation (to perform the [] function and the mod 256 function), addition, multiplication, and bit-wise Exclusive-OR functions.
Returning to the SSD field initialization process of FIG. 2, when a RANDSSD sequence and the directive to create a new SSD field (arrow 100 in FIG. 2) are received by the mobile station, a new SSD field is generated in accordance with FIG. 3. The mobile unit concatenates the ESN designation, the A-key, and the RANDSSD sequence to form an authentication string. The authentication string is applied to Jumble block 101 (described above) which outputs the SSD field. The SSD field comprises two subfields: the SSD-A subfield which is used to support authentication procedures, and the SSD-B subfield which is used to support voice privacy procedures and encryption of some signaling messages (described below). It may be noted that a larger number of SSD subfields can be created. If one needs a larger total number of bits, one needs only to start with a larger number of data bits. As will be appreciated from the disclosure below, that is not a challenging requirement.
The home CGSA processor knows the ESN and the A-key of the mobile unit to which the received MIN2 and MIN1 designations were assigned. It also knows the RANDSSD sequence that it sent. Therefore, the home CGSA processor is in position to duplicate the SSD field creation process of the mobile unit. By concatenating the RANDSSD signal with the ESN designation and the A-key, and with the above-described Jumble process, the CGSA processor creates a new SSD field and partitions it into SSD-A and SSD-B subfields. However, the SSD field created in the home CGSA processor must be verified.
In accordance with FIG. 2, verification of the created SSD field is initiated by the mobile unit. The mobile unit generates a random challenge sequence (RANDBS sequence) in block 102 and sends it to the home CGSA processor through the serving base station. In accordance with FIG. 4, the home CGSA processor concatenates the challenge RANDBS sequence, the ESN of the mobile unit, the MIN1 designation of the mobile unit, and the newly created SSD-A to form an authentication string which is applied to the Jumble process. In this instance, the Jumble process creates a hashed authentication signal AUTHBS which is sent to the mobile station. The mobile station also combines the RANDBS sequence, its ESN designation, its MIN1 designation and the newly created SSD-A to form an authentication string that is applied to the Jumble process. The mobile station compares the result of its Jumble process to the hashed authentication signal (AUTHBS) received from the home CGSA processor. If the comparison step (block 104) indicates a match, the mobile station sends a confirmation message to the home CGSA processor indicating the success of the update in the SSD field. Otherwise, the mobile station reports on the failure of the match comparison.
Having initialized the mobile station, the SSD field remains in force until the home CGSA processor directs the creation of a new SSD field. That can occur, for example, if there is reason to believe that the SSD field has been compromised. At such a time, the home CGSA processor sends another RANDSSD sequence to the mobile unit, and a directive to create a new SSD field.
As mentioned above, in cellular telephony each base station broadcasts various informational signals for the benefit of all of the mobile units in its cell. In accordance with FIG. 1 management, one of the signals broadcast by the base station is a random or pseudorandom sequence (RAND sequence). The RAND sequence is used by various authentication processes to randomize the signals that are created and sent by the mobile units. Of course, the RAND sequence must be changed periodically to prevent record/playback attacks. One approach for selecting the latency period of a RAND signal is to make it smaller than the expected duration of an average call. Consequently, a mobile unit, in general, is caused to use different RAND signals on successive calls.
In accordance with one aspect of this invention, as soon as the mobile unit enters a cell it registers itself with the base unit so that it can be authenticated, it can initiate calls, and the base station can direct calls to the mobile unit. When the mobile unit registers with a serving base station, it sends to the serving base station its MIN1 and MIN2 designations and its ESN sequence. Of course, an authentication process is carried out in the course of registering, and that process is depicted in FIG. 5. According to FIG. 5, the mobile unit receives the broadcast RAND sequence; concatenates the RAND sequence, the ESN sequence, the MIN1 designation and the SSD-A subfield to form an authentication string; and applies the authentication string to the Jumble process. The hashed authentication string at the output of the Jumble process is sent to the serving base station together with the ESN sequence.
In some embodiments, all or part of the RAND sequence used by the mobile unit is also sent to the serving base station, because the possibility exists that the RAND value has changed by the time the hashed authentication string reaches the base station.
On the base station side, the serving base station knows the RAND sequence because the base station created it. The base station also knows the ESN and the MIN2 and MIN1 designations that the mobile unit identified itself with. But, on first registration, the serving base station does not know the SSD field of the mobile unit. It does know, however, the mobile unit's home CGSA processor (from the MIN1 and MIN2 designations) so the authentication proceeds as follows. The serving base station sends to the home CGSA processor the MIN1 designation, the ESN sequence, the hashed authentication string that the mobile unit transmitted, and the RAND sequence that the mobile unit used to create the hashed authentication string. From the mobile unit's MIN1 designation and ESN sequence the home CGSA processor knows the mobile unit's SSD-A subfield, so it proceeds to create an authentication string as described above and applies it to the Jumble process. If the hashed authentication string created by the home CGSA processor matches the hashed authentication string created in the mobile unit and supplied by the serving base station, then verification is deemed successful. In such a case, the home CGSA processor supplies the serving base station with the unit's SSD field. As an aside, to keep the ESN designation and the SSD field secure, the communication between the base stations and the CGSA processor is carried in encrypted form.
Once the mobile unit has been authenticated at the serving base station (via the above-described process) the serving base station possesses the ESN and the SSD field of the mobile unit, and subsequent authentication processes in that cell can proceed in the serving base station without reference to the home CGSA processor--except one. Whenever, for any reason, it is desirable to alter the SSD field, communication is effectively between the home CGSA processor and the mobile unit; and the serving base station serves only as a conduit for this communication. That is,
the home CGSA processor creates a RANDSSD sequence and alters the SSD field based on that RANDSSD sequence,
the home CGSA processor supplies the serving base station with the RANDSSD sequence and the newly created SSD field,
the serving base station directs the mobile unit to alter its SSD field and provides the mobile unit with the RANDSSD sequence,
the mobile unit alters the SSD field and sends a challenge to the serving base station,
the serving base station creates the AUTHBS string (described above) and sends it to the mobile unit, and
the mobile unit verifies the AUTHBS string and informs the serving base station that both the mobile unit and the serving base station have the same SSD fields.
Having been registered by the serving base station, the mobile unit can initiate calls, in accordance with FIG. 6. The call initiation sequence concatenates signals RAND, ESN, SSD-A and at least some of the called party's identification (phone) number (MIN3 in FIG. 6). The concatenated signals are applied to the Jumble process to develop a hashed authentication sequence that can be verified by the serving base station. Of course, to permit verification at the base station, the called party's identification number must also be transmitted in a manner that can be received by the base station (and, as before, perhaps a portion of the RAND signal), i.e., in plaintext. Once the authentication sequence is verified, the base station can process the call and make the connection to the called party.
The protocol for connecting to a mobile unit when it is a "called party", follows the registration protocol of FIG. 5. That is, the serving base station requests the called mobile station to send an authentication sequence created from the RAND sequence, ESN designation, MIN1 designation and SSD-A subfield. When authentication occurs, a path is set up between the base station and the called party mobile unit, for the latter to receive data originating from, and send data to, the mobile unit (or stationary unit) that originated the call.
It should be noted that all of the authentications described above are effective only (in the sense of being verified) with respect to the authenticated packets, or strings, themselves. To enhance security at other times, three different additional security measures can be employed. They are speech encryption, occasional re-authentication, and control message encryption.
SPEECH ENCRYPTION
The speech signal is encrypted by first converting it to digital form. This can be accomplished in any number of conventional ways, with or without compression, and with or without error correction codes. The bits of the digital signals are divided into successive groups of K bits and each of the groups is encrypted. More specifically, in both the mobile unit and the base station the RAND sequence, the ESN and MIN1 designations, and the SSD-B subfield are concatenated and applied to the Jumble process. The Jumble process produces 2K bits and those bits are divided into groups A and B of K bits each. In the mobile unit group A is used for encrypting outgoing speech, and group B is used for decrypting incoming speech. Conversely in the base station, group A is used for decrypting incoming speech and group B is used for encrypting outgoing speech. FIG. 7 depicts the speech encryption and decryption process.
RE-AUTHENTICATION
At the base station's pleasure, a re-authentication process is initiated to confirm that the mobile unit which the base station believes is active, is, in fact, the mobile unit that was authorized to be active. This is accomplished by the base station requesting the mobile unit to send a hashed authentication sequence in accordance with FIG. 7. With each such request, the base station sends a special (RANDU) sequence. The mobile unit creates the hashed authentication sequence by concatenating the RANDU sequence, the area code MIN2 designation of the mobile unit, the ESN designation, the MIN1 designation and the SSD-A designation. The concatenated string is applied to the Jumble process, and the resulting hashed authentication string is sent to the base station. The base station, at this point, is in a position to verify that the hashed authentication string is valid.
CONTROL MESSAGE CRYPTOSYSTEM
The third security measure deals with ensuring the privacy of control messages. In the course of an established call, various circumstances may arise that call for the transmission of control messages. In some situations, the control messages can significantly and adversely affect either the mobile station that originated the call or the base station. For that reason, it is desirable to encipher (reasonably well) some types of control messages sent while the conversation is in progress. Alternately, selected fields of selected message types may be encrypted. This includes "data" control messages such as credit card numbers, and call redefining control messages. This is accomplished with the Control Message Cryptosystem.
The Control Message Cryptosystem (CMC) is a symmetric key cryptosystem that has the following properties:
1) it is relatively secure,
2) it runs efficiently on an eight-bit computer, and
3) it is self-inverting.
The cryptographic key for CMC is an array, TBOX[z], of 256 bytes which is derived from a "secret" (e.g., SSD-B subfield) as follows:
1. for each z in the range 0≦z<256, set TBOX[z]=z, and
2. apply the array TBOX[z] and the secret (SSD-B) to the Jumble process.
This is essentially what is depicted in elements 301, 302 and 303 in FIG. 8 (except that the number of bytes in FIG. 7 is 2K rather than 256).
Once the key is derived, CMC can be used to encrypt and decrypt control messages. Alternately, the key can be derived "on-the-fly" each time the key is used. CMC has the capability to encipher variable length messages of two or more bytes. CMC's operation is self-inverting reciprocal or involutory. That is, precisely the same operations are applied to the ciphertext to yield plaintext as are applied to plaintext to yield ciphertext. Thus, a two-fold application of the CMC operations would leave the buffer contents unchanged.
In the description that follows it is assumed that for the encryption process (and the decryption process) the plaintext (or the ciphertext) resides in a data buffer and that CMC operates on the contents of that data buffer such that the final contents of the data buffer constitute the ciphertext (or plaintext). That means that elements 502 and 504 in FIG. 10 can be one and the same register.
CMC is comprised of three successive stages, each of which alters each byte string in the data buffer. When the data buffer is d bytes long and each byte is designated by b(i), for i in the range 0≦i<d:
I. The first stage of CMC is as follows:
1. Initialize a variable z to zero,
2. For successive integer values of i in the range 0≦i<d
a. form a variable q by: q=z⊕ low order byte of i, where ⊕ is the bitwise boolean Exclusive-OR operator,
b. form variable k by: k=TBOX[q],
c. update b(i) with: b(i)=b(i)+k mod 256, and
d. update z with: z=b(i)+z mod 256.
II. The second stage of CMC is:
1. for all values of i in the range 0≦i<(d-1)/2: b(i)=b(i)⊕(b(d-1-i) OR 1), where OR is the bitwise boolean OR operator.
III. CMC's final stage is the decryption that is inverse of the first stage:
1. Initialize a variable z to zero,
2. For successive integer values of i in the range 0≦i<d
a. form a variable q by: q=z⊕ low order byte of i,
b. form variable k by: k=TBOX[q],
c. update z with: z=b(i)+z mod 256,
d. update b(i) with: b(i)=b(i)-k mod 256.
The three stage process employed to encrypt and decrypt selected control and data messages is illustrated in FIG. 10. In one preferred embodiment the first stage and the third stage are an autokey encryption and decryption, respectively. An autokey system is a time-varying system where the output of the system is used to affect the subsequent output of the system. For further reference regarding cryptography and autokey systems, see W. Diffie and M. E. Hellman, Privacy and Authentication: An Introduction to Cryptography, Proc. of the I.E.E.E., Vol. 67, No. 3, March 1979.
MOBILE UNIT APPARATUS
FIG. 11 presents a block diagram of a mobile unit hardware. It comprises a control block 200 which includes the key pad of a cellular telephone, the hand set and the unit's power control switch. Control block 200 is connected to processor 210 which controls the workings of the mobile unit, such as converting speech signals to digital representation, incorporating error correction codes, encrypting the digital speech signal, decrypting incoming speech signals, forming and encrypting (as well as decrypting) various control messages, etc. Block 210 is coupled to block 220 which comprises the bulk of the circuitry associated with transmission and reception of signals. Blocks 200-220 are basically conventional blocks, performing the functions that are currently performed by commercial mobile telephone units (though the commercial units do not do encrypting and decrypting). To incorporate the authentication and encryption processes disclosed herein, the apparatus of FIG. 8 also includes a block 240 which comprises a number of registers coupled to processor 210, and a "personality" module 230 that is also coupled to processor 210. Module 230 may be part of the physical structure of a mobile telephone unit, or it may be a removable (and pluggable) module that is coupled to the mobile telephone unit through a socket interface. It may also be coupled to processor 210 through an electromagnetic path, or connection. Module 230 may be, for example, a "smart card".
Module 230 comprises a Jumble processor 231 and a number of registers associated with processor 231. Alternately, in another preferred embodiment, only the A-Key is in the module 230. A number of advantages accrue from installing (and maintaining) the A-Key, and the MIN1 and MIN2 designations in the registers of module 230, rather than in the registers of block 240. It is also advantageous to store the developed SSD field in the registers of module 230. It is further advantageous include among the registers of module 230 any needed working registers for carrying out the processes of processor 231. By including these elements in module 230, the user may carry the module on his person to be used with different mobile units (e.g. "extension" mobile units) and more of the sensitive information is stored outside the module. Of course, mobile units may be produced with module 230 being an integral and permanent part of the unit. In such embodiments, Jumble processor 231 may be merged within processor 210. Block 240 stores the unit's ESN designation and the various RAND sequences that are received.
Although the above disclosure is couched in terms of subscriber authentication in a cellular telephony environment, and that includes personal communication networks which will serve portable wallet sized handsets, it is clear that the principles of this invention have applicability in other environments where the communication is perceived to be not sufficiently secure and where impersonation is a potential problem. This includes computer networks, for example.

Claims (24)

I claim:
1. In a communications system, a method of transforming a set of message signals representing a message, the method which includes the steps of
encrypting said set of message signals with an encryption process and a set of key signals to form a set of first intermediate signals,
altering said set of first intermediate signals in accordance with an involutory transformation to form a set of second intermediate signals, and decrypting said set of second intermediate signals with a decryption process which is the inverse of said encryption process to form a set of output signals,
Characterized in that:
said step of altering comprises the step of modifying a first subset of said set of first intermediate signals with an unkeyed transformation based on a second subset of said set of first intermediate signals.
2. The method of claim 1 wherein said step of encrypting comprises the step of forming said set of first intermediat signals in accordance with a first autokey process and said step of decrypting comprises the step of forming said set of output signals in accordance with a second autokey process.
3. The method of claim 1 further comprising the step of deriving said set of key signals from a set of source signals.
4. The method of claim 3 wherein said step of deriving comprises the step of hashing a set of pattern signals with said set of source signals to form said set of key signals.
5. The method of claim 4 wherein said set of key signals and the said set of pattern signals each have N elements, where N is a positive integer.
6. The method of claim 5 wherein said step of deriving comprises the step of making said set of pattern signals available for said step of hashing.
7. The method of claim 1 wherein said set of key signals has N elements and said set of message signals has D elements, where N and D are positive integers.
8. The method of claim 7 wherein said step of emcrypting said set of message signals comprises the steps of:
setting a signal z to a selected magnitude; and
for different integral magnitudes of a signal i, spanning the range 0≦i<D,
setting a signal q based on the respective magnitudes of said signals i and z;
setting a signal k based on the respective magnitudes of said signal q and on a signal T, where T is the qth element of said set of key signals;
creating an ith element of said set of first intermediate signals based on the respective magnitude of said ith element of said set of message signals and said signal k; and
updating the magnitude of said signal z based on the respective magnitudes of said ith element of said set of first intermediate signals and said signal z.
9. The method of claim 7 wherein said step of encrypting said set of message signals comprises the steps of:
setting an n-tet signal z to a selected value; and
for successive integer values of index i, spanning the rang 0 ≦i<D,
setting an n-tet signal q to z⊕m, where ⊕ is the bit-wise boolean Exclusive-OR operator and m is i modulo 2n ;
setting an n-tet signal k to T, where T is said qth n-tet element of said set of key signals;
creating an ith n-tet element of said set of first intermediate signals by adding, modulo 2n, said ith n-tet element of said set of message signals and said n-tet signal k; and
updating the value of said n-tet signal z by adding, modulo 2n, said ith n-tet element of said set of first intermediate signals and said n-tet signal z.
10. The method of claim 9 wherein each of said n-tets is an eight-tet and 2n eauals 256.
11. The method of claim 7 wherein said step of altering said set of first intermediate signals creates, in the range ##EQU1## an ith element of said set of second intermediate signals equal to b(i), ⊕q, where b(i) is the ith element of said set of first intermediate signals, where q is based on b(x), where x is based on the values of D and i, where b(x) is the xth element of said set of first intermediate signals, and where ⊕ is the bit-wise boolean Exclusive-OR operator.
12. The method of claim 7 wherein said step of decrypting said set of second intermediate signals comprises the steps of:
setting a signal z to a selected magnitude; and
for different integral magnitudes of a signal i, spanning the range 0≦i<D,
setting a signal q based on the respective magnitudes of said signals i and z;
setting a signal k based on the respective magnitudes of said signal q and on a signal T, where T is the qth element of said set of key signals;
updating the magnitude of said signal z based on the respective magnitudes of said ith element of said set of second intermediate signals and said signal z; and
creating an ith element of said set of output signals based on the respective magnitudes of said ith element of said set of second intermediate signals and said signal k.
13. The method of claim 7 wherein said step of decrypting said set of second intermediate signals comprises the steps of:
setting an n-tet signal z to a selected magnitude; and
for successive integer values of index i spanning the range 0≦i<D,
setting an n-tet signal q to z⊕m, where ⊕ is the bit-wise boolean Exclusive-OR operator and m is i modulo 2n ;
setting an n-tet signal k to T, where T is said qth n-tet element of said set of key signals;
updating the value of said n-tet signal z by adding, modulo 2n, said ith n-tet element of said set of second intermediate signals and said signal z; and
creating an ith n-tet element of said set of output signals by subtracting, modulo 2n, n-tet signal k from the ith element of said set of second intermediate signals.
14. The method of claim 12 wherein each of said n-tets is an eight-tet and 2n equals 256.
15. The method of claim 1 wherein said set of message signals represents a message in a cellular telephone system.
16. The method of claim 1 wherein said set of message signals represent speech.
17. The method of claim 1 wherein said set of message signals represent non-speech data.
18. The method of claim 1 wherein said set of message signals represents a message in a wirless communications system.
19. A cryptographic system for transforming a set of message signals which set represents a message comprising:
means for encrypting said set of message signals with an encryption process and a set of key signals to form a set of first intermediate signals;
means for altering said set of first intermediate signals in accordance with an involutory transformation to form a set of second intermediate signals; and
means for decrypting said set of second intermediate signals with a decryption process which is the inverse of said encryption process to form a set of output signals,
Characterized in that:
said means for altering comprises means for modifying a first subset of said set of first intermediate signals with an unkeyed transformation in accordance with a second subset of said set of first intermediate signals.
20. The communications systems of claim 19 wherein said means for encrypting comprises means for forming said set of first intermediate signals in accordance with a first autokey process and said means for decrypting comprises means for forming said set of output signals in accordance with a second autokey process.
21. The communications system of claim 19 wherein said set of key signals has N elements and said set of message signals had D elements, where N and D are positive integers.
22. The communications system of claim 21 wherein said means for encrypting said set of message signals comprises:
means for setting a signal z to a selected magnitude; and
means for setting a signal i to different integral magnitudes spanning the range 0≦i<D,
means for setting a signal q based on the respective magnitudes of said signals i and z;
means for setting a signal k based on the respective magnitudes of said signal q and on a signal K(q), where K(q) is the qth element of said set of key signals;
means for creating an ith element of said set of first intermediate signals based on the respective magnitudes of said ith element of said set of message signals and said signal k; and
means for updating the magnitude of said signal z based on the respective magnitudes of said ith element of said set of first intermediate signals and said signal z.
23. The communications system of claim 21 wherein said means for altering said set of first intermediate signals creates, in the range ##EQU2## an ith element of said set of second intermediate signals equal to b(i) ⊕ q, where b(i) is the ith element of said set of first intermediate signals, where q is based on b(x), where x is based on the values of D and i, where b(x) is the xth element of said set of first intermediate signals, and where ⊕ is the bit-wise boolean Exclusive-OR operator.
24. The communications system of claim 21 wherein said means for decrypting said set of second intermediate signals comprises:
means for setting a signal z to a selected magnitude; and
means for setting a signal i to different integral magnitudes spanning the range 0≦i<D,
means for setting a signal q based on the respective magnitudes of said signals i and z;
means for setting a signal k based on the respective magnitudes of said signal q and on a signal K(q), where K(q) is the qth element of said set of key signals;
means for updating the magnitude of said signal z based on the respective magnitudes of said ith element of said set of second intermediate signals and said signal z; and
means for creating an ith element of said set of output signals based on the respective magnitudes of said ith element of said set of second intermediate signals and said signal k.
US07/759,309 1991-09-13 1991-09-13 Cryptosystem for cellular telephony Expired - Lifetime US5159634A (en)

Priority Applications (5)

Application Number Priority Date Filing Date Title
US07/759,309 US5159634A (en) 1991-09-13 1991-09-13 Cryptosystem for cellular telephony
DE69230423T DE69230423T2 (en) 1991-09-13 1992-09-03 Secret transmission system for cellular telephony
EP92308000A EP0532228B1 (en) 1991-09-13 1992-09-03 A cryptosystem for cellular telephony
JP4267808A JP2693348B2 (en) 1991-09-13 1992-09-11 Encryption system
FI924090A FI108590B (en) 1991-09-13 1992-09-11 Mobile phone encryption system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
US07/759,309 US5159634A (en) 1991-09-13 1991-09-13 Cryptosystem for cellular telephony

Publications (1)

Publication Number Publication Date
US5159634A true US5159634A (en) 1992-10-27

Family

ID=25055179

Family Applications (1)

Application Number Title Priority Date Filing Date
US07/759,309 Expired - Lifetime US5159634A (en) 1991-09-13 1991-09-13 Cryptosystem for cellular telephony

Country Status (5)

Country Link
US (1) US5159634A (en)
EP (1) EP0532228B1 (en)
JP (1) JP2693348B2 (en)
DE (1) DE69230423T2 (en)
FI (1) FI108590B (en)

Cited By (43)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5594797A (en) * 1995-02-22 1997-01-14 Nokia Mobile Phones Variable security level encryption
US5724427A (en) * 1995-08-17 1998-03-03 Lucent Technologies Inc. Method and apparatus for autokey rotor encryption
US5727064A (en) * 1995-07-03 1998-03-10 Lucent Technologies Inc. Cryptographic system for wireless communications
US5740247A (en) * 1995-12-22 1998-04-14 Pitney Bowes Inc. Authorized cellular telephone communication payment refill system
US5748739A (en) * 1994-11-05 1998-05-05 International Computers Limited Access control for sensitive functions
US5781628A (en) * 1997-08-19 1998-07-14 Ericsson Inc. System and method for selective restriction of ciphering
US5799090A (en) * 1995-09-25 1998-08-25 Angert; Joseph C. pad encryption method and software
WO1998040984A1 (en) * 1997-03-11 1998-09-17 Qualcomm Incorporated Method of and apparatus for encrypting signals for transmission
WO1998047262A2 (en) * 1997-04-14 1998-10-22 Lucent Technologies Inc. Methods and apparatus for multiple-iteration cmea encryption and decryption for improved security for wireless telephone messages
WO1999003246A2 (en) * 1997-04-14 1999-01-21 Lucent Technologies Inc. Methods and apparatus for enhanced security expansion of a secret key into a lookup table for improved security for wireless telephone messages
WO1999005817A1 (en) * 1997-07-22 1999-02-04 Lucent Technologies Inc. Methods and apparatus for enhanced cmea including a cmea iteration preceded and followed by transformations and employing an involuntary lookup
WO1999007103A1 (en) * 1997-07-29 1999-02-11 Lucent Technologics Inc. Methods and apparatus for enhanced cmea employing enhanced transformations
US5890075A (en) * 1996-10-21 1999-03-30 Lucent Technologies Inc. Method for remotely updating data stored in a mobile terminal by a wireless telecommunications system
WO2000020972A2 (en) * 1998-10-06 2000-04-13 L-3 Communications Corporation Programmable telecommunications security module for key encryption adaptable for tokenless use
US6075858A (en) * 1995-10-27 2000-06-13 Scm Microsystems (U.S.) Inc. Encryption key system and method
KR20000054658A (en) * 2000-06-16 2000-09-05 김송식 Method for application SSMS
US6226618B1 (en) 1998-08-13 2001-05-01 International Business Machines Corporation Electronic content delivery system
US6233337B1 (en) * 1997-04-14 2001-05-15 Lucent Technologies Inc. Methods and apparatus for enhanced security expansion of a secret key into a lookup table for improved security for wireless telephone messages
US20010014942A1 (en) * 1995-12-15 2001-08-16 Hamalainen Jari Pekka Method for indicating enciphering of data transmission between a mobile communication network and a mobile station
US6330333B1 (en) 1995-07-03 2001-12-11 Lucent Technologies, Inc. Cryptographic system for wireless communications
US6389403B1 (en) 1998-08-13 2002-05-14 International Business Machines Corporation Method and apparatus for uniquely identifying a customer purchase in an electronic distribution system
US6418224B1 (en) * 1997-05-06 2002-07-09 Lucent Technologies Inc. Methods and apparatus for self-inverting multiple-iteration CMEA crypto-processing for improved security for wireless telephone messages
US6510515B1 (en) * 1998-06-15 2003-01-21 Telefonaktlebolaget Lm Ericsson Broadcast service access control
KR20030020637A (en) * 2001-09-04 2003-03-10 주식회사 현대시스콤 Method for processing data wireless security between mobile station and radio network in mobile communication system
US6611812B2 (en) 1998-08-13 2003-08-26 International Business Machines Corporation Secure electronic content distribution on CDS and DVDs
US6690798B1 (en) * 1997-12-10 2004-02-10 Ericsson Inc. Key transforms to discriminate between beams in a multi-beam satellite communication system
US6721886B1 (en) * 1998-05-20 2004-04-13 Nokia Corporation Preventing unauthorized use of service
US20040240671A1 (en) * 2001-06-15 2004-12-02 Hai-Tao Hu Method for remote loading of an encryption key in a telecommunication network station
US6834110B1 (en) 1999-12-09 2004-12-21 International Business Machines Corporation Multi-tier digital TV programming for content distribution
US20050014503A1 (en) * 2000-11-17 2005-01-20 Kabushiki Kaisha Toshiba Scheme for registration and authentication in wireless communication system using wireless LAN
US6876744B1 (en) * 1997-07-22 2005-04-05 Lucent Technologies Inc. Methods and apparatus for enhanced CMEA including a CMEA iteration preceded and followed by transformations and employing an involuntary lookup
US20050216422A1 (en) * 2000-09-08 2005-09-29 International Business Machines Corporation. System and method for secure authentication of external software modules provided by third parties
US6959288B1 (en) 1998-08-13 2005-10-25 International Business Machines Corporation Digital content preparation system
US6983371B1 (en) 1998-10-22 2006-01-03 International Business Machines Corporation Super-distribution of protected digital content
US20060053077A1 (en) * 1999-12-09 2006-03-09 International Business Machines Corporation Digital content distribution using web broadcasting services
US20060059347A1 (en) * 2002-04-18 2006-03-16 Herz Frederick S System and method which employs a multi user secure scheme utilizing shared keys
US7031472B1 (en) 1998-09-25 2006-04-18 Sony Computer Entertainment Inc. Method of authenticating information, disk playback apparatus, and entertainment apparatus
US20060089912A1 (en) * 1998-08-13 2006-04-27 International Business Machines Corporation Updating usage conditions in lieu of download digital rights management protected content
US7047222B1 (en) 1997-08-06 2006-05-16 International Business Machines Corporation Secure encryption of data packets for transmission over unsecured networks
US20060104440A1 (en) * 2002-10-30 2006-05-18 Alain Durand Simplified method for renewing symmetrical keys in a digital network
US20070157023A1 (en) * 2005-12-30 2007-07-05 Motorola, Inc. Method and apparatus for a wireless mobile device with sim challenge modification capability
US20080022375A1 (en) * 2006-06-09 2008-01-24 Stanley David J Method and apparatus for using a cell phone to facilitate user authentication
US8794516B2 (en) 1999-10-25 2014-08-05 Smartflash, LLC Data storage and access systems

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2003005635A (en) * 2001-06-25 2003-01-08 Laurel Intelligent Systems Co Ltd Apparatus and method for encrypting and apparatus and method for decrypting
RU2718953C1 (en) * 2019-03-11 2020-04-15 ФЕДЕРАЛЬНОЕ ГОСУДАРСТВЕННОЕ КАЗЕННОЕ ВОЕННОЕ ОБРАЗОВАТЕЛЬНОЕ УЧРЕЖДЕНИЕ ВЫСШЕГО ОБРАЗОВАНИЯ "Военная академия Ракетных войск стратегического назначения имени Петра Великого" МИНИСТЕРСТВА ОБОРОНЫ РОССИЙСКОЙ ФЕДЕРАЦИИ Information and energy security transmitter

Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US4074066A (en) * 1976-04-26 1978-02-14 International Business Machines Corporation Message verification and transmission error detection by block chaining
US4078152A (en) * 1976-04-26 1978-03-07 International Business Machines Corporation Block-cipher cryptographic system with chaining
US4157454A (en) * 1976-12-22 1979-06-05 International Business Machines Corporation Method and system for machine enciphering and deciphering
US4223182A (en) * 1944-09-27 1980-09-16 Bell Telephone Laboratories, Incorporated Transmission of signals with privacy
US4316055A (en) * 1976-12-30 1982-02-16 International Business Machines Corporation Stream/block cipher crytographic system
US4399323A (en) * 1981-02-09 1983-08-16 Bell Telephone Laboratories, Incorporated Fast real-time public key cryptography
US4471164A (en) * 1981-10-13 1984-09-11 At&T Bell Laboratories Stream cipher operation using public key cryptosystem
US4731843A (en) * 1985-12-30 1988-03-15 Paradyne Corporation Method and device of increasing the execution speed of cipher feedback mode of the DES by an arbitrary multiplier
US4815130A (en) * 1986-10-03 1989-03-21 Communications Satellite Corporation Stream cipher system with feedback
US4969190A (en) * 1988-04-13 1990-11-06 Hitachi, Ltd. Encrypting system of data
US5014313A (en) * 1989-07-07 1991-05-07 Motorola, Inc. Text modifier

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
NL8203737A (en) * 1982-09-27 1984-04-16 Nederlanden Staat Apparatus for digitizing digital signals with one or more des circuits.
JP2661085B2 (en) * 1987-12-28 1997-10-08 三菱電機株式会社 Encryption device
DE68926076T2 (en) * 1988-08-11 1996-11-14 Ibm Secure key management using extended control vectors

Patent Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US4223182A (en) * 1944-09-27 1980-09-16 Bell Telephone Laboratories, Incorporated Transmission of signals with privacy
US4074066A (en) * 1976-04-26 1978-02-14 International Business Machines Corporation Message verification and transmission error detection by block chaining
US4078152A (en) * 1976-04-26 1978-03-07 International Business Machines Corporation Block-cipher cryptographic system with chaining
US4157454A (en) * 1976-12-22 1979-06-05 International Business Machines Corporation Method and system for machine enciphering and deciphering
US4316055A (en) * 1976-12-30 1982-02-16 International Business Machines Corporation Stream/block cipher crytographic system
US4399323A (en) * 1981-02-09 1983-08-16 Bell Telephone Laboratories, Incorporated Fast real-time public key cryptography
US4471164A (en) * 1981-10-13 1984-09-11 At&T Bell Laboratories Stream cipher operation using public key cryptosystem
US4731843A (en) * 1985-12-30 1988-03-15 Paradyne Corporation Method and device of increasing the execution speed of cipher feedback mode of the DES by an arbitrary multiplier
US4815130A (en) * 1986-10-03 1989-03-21 Communications Satellite Corporation Stream cipher system with feedback
US4969190A (en) * 1988-04-13 1990-11-06 Hitachi, Ltd. Encrypting system of data
US5014313A (en) * 1989-07-07 1991-05-07 Motorola, Inc. Text modifier

Non-Patent Citations (10)

* Cited by examiner, † Cited by third party
Title
C. A. Deavours and L. Kruh, Machine Cryptography and Modern Cryptanalysis, Artech House, Inc., pp. 93 94 (1985). *
C. A. Deavours and L. Kruh, Machine Cryptography and Modern Cryptanalysis, Artech House, Inc., pp. 93-94 (1985).
Data Encryption Standard, Federal Information Processing Standards Publication 46 1, National Technical Information Service, U.S. Dept. of Commerce, Jan. 1988. *
Data Encryption Standard, Federal Information Processing Standards Publication 46-1, National Technical Information Service, U.S. Dept. of Commerce, Jan. 1988.
J. A. Reeds and P. J. Weinberger, "File Security and the UNIX System Crypt Command", AT&T Bell Laboratories Technical Journal, vol. 63, No. 8, Oct. 1984.
J. A. Reeds and P. J. Weinberger, File Security and the UNIX System Crypt Command , AT & T Bell Laboratories Technical Journal, vol. 63, No. 8, Oct. 1984. *
R. M. Needham and M. D. Schroeder, "Using Encryption for Authentication in Large Networks of Computers", Communications of the ACM, vol. 21, No. 12, 993-999 (Dec. 1978).
R. M. Needham and M. D. Schroeder, Using Encryption for Authentication in Large Networks of Computers , Communications of the ACM, vol. 21, No. 12, 993 999 (Dec. 1978). *
W. Diffie and M. E. Hellman, "Privacy and Authentication: An Introduction to Cryptography", Proceeding of the I.E.E.E., vol. 67, No. 3, Mar. 1979.
W. Diffie and M. E. Hellman, Privacy and Authentication: An Introduction to Cryptography , Proceeding of the I.E.E.E., vol. 67, No. 3, Mar. 1979. *

Cited By (88)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5748739A (en) * 1994-11-05 1998-05-05 International Computers Limited Access control for sensitive functions
US5594797A (en) * 1995-02-22 1997-01-14 Nokia Mobile Phones Variable security level encryption
US5727064A (en) * 1995-07-03 1998-03-10 Lucent Technologies Inc. Cryptographic system for wireless communications
US6330333B1 (en) 1995-07-03 2001-12-11 Lucent Technologies, Inc. Cryptographic system for wireless communications
US5724427A (en) * 1995-08-17 1998-03-03 Lucent Technologies Inc. Method and apparatus for autokey rotor encryption
US5799090A (en) * 1995-09-25 1998-08-25 Angert; Joseph C. pad encryption method and software
US6324287B1 (en) * 1995-09-25 2001-11-27 Scm Microsystems, Inc. Pad encryption method and software
US6075858A (en) * 1995-10-27 2000-06-13 Scm Microsystems (U.S.) Inc. Encryption key system and method
US20070147616A1 (en) * 1995-12-15 2007-06-28 Nokia Corporation Method for indicating enciphering of data transmission between a mobile communication network and a mobile station
US20010014942A1 (en) * 1995-12-15 2001-08-16 Hamalainen Jari Pekka Method for indicating enciphering of data transmission between a mobile communication network and a mobile station
US5740247A (en) * 1995-12-22 1998-04-14 Pitney Bowes Inc. Authorized cellular telephone communication payment refill system
US5890075A (en) * 1996-10-21 1999-03-30 Lucent Technologies Inc. Method for remotely updating data stored in a mobile terminal by a wireless telecommunications system
KR100929515B1 (en) 1997-03-11 2009-12-03 퀄컴 인코포레이티드 Method of and apparatus for encrypting signals for transmission
US6768797B2 (en) * 1997-03-11 2004-07-27 Qualcomm, Inc. Method and apparatus for encrypting data in a wireless communication system
EP2120387A3 (en) * 1997-03-11 2013-03-06 Qualcomm Incorporated Method and apparatus for encrypting signals for transmission
US7995751B2 (en) 1997-03-11 2011-08-09 Qualcomm Incorporated Method and apparatus for encrypting data in a wireless communication system
EP2124378A3 (en) * 1997-03-11 2012-10-03 Qualcomm Incorporated Method of and apparatus for encrypting signals for transmission
EP2262163A2 (en) 1997-03-11 2010-12-15 Qualcomm Incorporated Method of and apparatus for encrypting signals for transmission
US20030185390A1 (en) * 1997-03-11 2003-10-02 Qualcomm, Inc. Method and apparatus for encrypting data in a wireless communication system
EP2124378A2 (en) 1997-03-11 2009-11-25 Qualcomm Incorporated Method of and apparatus for encrypting signals for transmission
EP2120387A2 (en) 1997-03-11 2009-11-18 Qualcomm Incorporated Method and apparatus for encrypting signals for transmission
US20040190712A1 (en) * 1997-03-11 2004-09-30 Rose Gregory G. Method and apparatus for encrypting data in a wireless communication system
KR100899964B1 (en) 1997-03-11 2009-05-28 퀄컴 인코포레이티드 Method of and apparatus for encrypting signals for transmission
US6385316B1 (en) * 1997-03-11 2002-05-07 Qualcomm Incorporated Method and apparatus for encrypting data in a wireless communication system
WO1998040984A1 (en) * 1997-03-11 1998-09-17 Qualcomm Incorporated Method of and apparatus for encrypting signals for transmission
WO1999003246A2 (en) * 1997-04-14 1999-01-21 Lucent Technologies Inc. Methods and apparatus for enhanced security expansion of a secret key into a lookup table for improved security for wireless telephone messages
WO1998047262A2 (en) * 1997-04-14 1998-10-22 Lucent Technologies Inc. Methods and apparatus for multiple-iteration cmea encryption and decryption for improved security for wireless telephone messages
US6266411B1 (en) * 1997-04-14 2001-07-24 Lucent Technologies Inc. Method and apparatus for multiple-iteration CMEA encryption and decryption for improved security for wireless telephone messages
US6233337B1 (en) * 1997-04-14 2001-05-15 Lucent Technologies Inc. Methods and apparatus for enhanced security expansion of a secret key into a lookup table for improved security for wireless telephone messages
WO1999003246A3 (en) * 1997-04-14 1999-03-25 Lucent Technologies Inc Methods and apparatus for enhanced security expansion of a secret key into a lookup table for improved security for wireless telephone messages
WO1998047262A3 (en) * 1997-04-14 1999-02-25 Lucent Technologies Inc Methods and apparatus for multiple-iteration cmea encryption and decryption for improved security for wireless telephone messages
JP3459073B2 (en) 1997-04-14 2003-10-20 ルーセント テクノロジーズ インコーポレーテッド Multi-time CMEA encryption and decryption method and apparatus for improving security of wireless telephone messages
JP3459074B2 (en) 1997-04-14 2003-10-20 ルーセント テクノロジーズ インコーポレーテッド Method and apparatus for enhanced security enhancement of a private key to a lookup table to improve security of wireless telephone messages
US6418224B1 (en) * 1997-05-06 2002-07-09 Lucent Technologies Inc. Methods and apparatus for self-inverting multiple-iteration CMEA crypto-processing for improved security for wireless telephone messages
WO1999005817A1 (en) * 1997-07-22 1999-02-04 Lucent Technologies Inc. Methods and apparatus for enhanced cmea including a cmea iteration preceded and followed by transformations and employing an involuntary lookup
US6876744B1 (en) * 1997-07-22 2005-04-05 Lucent Technologies Inc. Methods and apparatus for enhanced CMEA including a CMEA iteration preceded and followed by transformations and employing an involuntary lookup
JP3478839B2 (en) 1997-07-22 2003-12-15 ルーセント テクノロジーズ インコーポレーテッド Method and apparatus for enhanced CMEA including CMEA iterations before and after transformation using involuntary lookup
JP3466204B2 (en) 1997-07-29 2003-11-10 ルーセント テクノロジーズ インコーポレーテッド Method and apparatus for enhanced CMEA using enhanced transformation
US6377687B1 (en) * 1997-07-29 2002-04-23 Lucent Technologies Inc. Methods and apparatus for enhanced CMEA employing enhanced transformations
WO1999007103A1 (en) * 1997-07-29 1999-02-11 Lucent Technologics Inc. Methods and apparatus for enhanced cmea employing enhanced transformations
US7047222B1 (en) 1997-08-06 2006-05-16 International Business Machines Corporation Secure encryption of data packets for transmission over unsecured networks
US5781628A (en) * 1997-08-19 1998-07-14 Ericsson Inc. System and method for selective restriction of ciphering
US6690798B1 (en) * 1997-12-10 2004-02-10 Ericsson Inc. Key transforms to discriminate between beams in a multi-beam satellite communication system
US6721886B1 (en) * 1998-05-20 2004-04-13 Nokia Corporation Preventing unauthorized use of service
US6510515B1 (en) * 1998-06-15 2003-01-21 Telefonaktlebolaget Lm Ericsson Broadcast service access control
US7206748B1 (en) 1998-08-13 2007-04-17 International Business Machines Corporation Multimedia player toolkit for electronic content delivery
US6345256B1 (en) 1998-08-13 2002-02-05 International Business Machines Corporation Automated method and apparatus to package digital content for electronic distribution using the identity of the source content
US6389538B1 (en) 1998-08-13 2002-05-14 International Business Machines Corporation System for tracking end-user electronic content usage
US6389403B1 (en) 1998-08-13 2002-05-14 International Business Machines Corporation Method and apparatus for uniquely identifying a customer purchase in an electronic distribution system
US6418421B1 (en) 1998-08-13 2002-07-09 International Business Machines Corporation Multimedia player for an electronic content delivery system
US6587837B1 (en) 1998-08-13 2003-07-01 International Business Machines Corporation Method for delivering electronic content from an online store
US6263313B1 (en) 1998-08-13 2001-07-17 International Business Machines Corporation Method and apparatus to create encoded digital content
US6574609B1 (en) 1998-08-13 2003-06-03 International Business Machines Corporation Secure electronic content management system
US7590866B2 (en) 1998-08-13 2009-09-15 International Business Machines Corporation Super-distribution of protected digital content
US6959288B1 (en) 1998-08-13 2005-10-25 International Business Machines Corporation Digital content preparation system
US7269564B1 (en) 1998-08-13 2007-09-11 International Business Machines Corporation Method and apparatus to indicate an encoding status for digital content
US6226618B1 (en) 1998-08-13 2001-05-01 International Business Machines Corporation Electronic content delivery system
US6398245B1 (en) 1998-08-13 2002-06-04 International Business Machines Corporation Key management system for digital content player
US7487128B2 (en) 1998-08-13 2009-02-03 International Business Machines Corporation Updating usage conditions in lieu of download digital rights management protected content
US7110984B1 (en) 1998-08-13 2006-09-19 International Business Machines Corporation Updating usage conditions in lieu of download digital rights management protected content
US20060089912A1 (en) * 1998-08-13 2006-04-27 International Business Machines Corporation Updating usage conditions in lieu of download digital rights management protected content
US20060095792A1 (en) * 1998-08-13 2006-05-04 Hurtado Marco M Super-distribution of protected digital content
US6611812B2 (en) 1998-08-13 2003-08-26 International Business Machines Corporation Secure electronic content distribution on CDS and DVDs
US7031472B1 (en) 1998-09-25 2006-04-18 Sony Computer Entertainment Inc. Method of authenticating information, disk playback apparatus, and entertainment apparatus
US6151677A (en) * 1998-10-06 2000-11-21 L-3 Communications Corporation Programmable telecommunications security module for key encryption adaptable for tokenless use
WO2000020972A3 (en) * 1998-10-06 2000-08-17 L 3 Comm Corp Programmable telecommunications security module for key encryption adaptable for tokenless use
WO2000020972A2 (en) * 1998-10-06 2000-04-13 L-3 Communications Corporation Programmable telecommunications security module for key encryption adaptable for tokenless use
US6983371B1 (en) 1998-10-22 2006-01-03 International Business Machines Corporation Super-distribution of protected digital content
US8794516B2 (en) 1999-10-25 2014-08-05 Smartflash, LLC Data storage and access systems
US7213005B2 (en) 1999-12-09 2007-05-01 International Business Machines Corporation Digital content distribution using web broadcasting services
US20060053077A1 (en) * 1999-12-09 2006-03-09 International Business Machines Corporation Digital content distribution using web broadcasting services
US7277870B2 (en) 1999-12-09 2007-10-02 International Business Machines Corporation Digital content distribution using web broadcasting services
US6834110B1 (en) 1999-12-09 2004-12-21 International Business Machines Corporation Multi-tier digital TV programming for content distribution
KR20000054658A (en) * 2000-06-16 2000-09-05 김송식 Method for application SSMS
US7500109B2 (en) 2000-09-08 2009-03-03 International Business Machines Corporation System and method for secure authentication of external software modules provided by third parties
US6978375B1 (en) 2000-09-08 2005-12-20 International Business Machines Corporation System and method for secure authentication of external software modules provided by third parties
US20050216422A1 (en) * 2000-09-08 2005-09-29 International Business Machines Corporation. System and method for secure authentication of external software modules provided by third parties
US20050014503A1 (en) * 2000-11-17 2005-01-20 Kabushiki Kaisha Toshiba Scheme for registration and authentication in wireless communication system using wireless LAN
US7324805B2 (en) * 2000-11-17 2008-01-29 Kabushiki Kaish Toshiba Scheme for registration and authentication in wireless communication system using wireless LAN
US20040240671A1 (en) * 2001-06-15 2004-12-02 Hai-Tao Hu Method for remote loading of an encryption key in a telecommunication network station
KR20030020637A (en) * 2001-09-04 2003-03-10 주식회사 현대시스콤 Method for processing data wireless security between mobile station and radio network in mobile communication system
US20060059347A1 (en) * 2002-04-18 2006-03-16 Herz Frederick S System and method which employs a multi user secure scheme utilizing shared keys
US7350069B2 (en) * 2002-04-18 2008-03-25 Herz Frederick S M System and method which employs a multi user secure scheme utilizing shared keys
US20060104440A1 (en) * 2002-10-30 2006-05-18 Alain Durand Simplified method for renewing symmetrical keys in a digital network
US8369524B2 (en) * 2002-10-30 2013-02-05 Thomson Licensing Simplified method for renewing symmetrical keys in a digital network
US20070157023A1 (en) * 2005-12-30 2007-07-05 Motorola, Inc. Method and apparatus for a wireless mobile device with sim challenge modification capability
US8116733B2 (en) * 2005-12-30 2012-02-14 Motorola Inc. Method and apparatus for a wireless mobile device with SIM challenge modification capability
US20080022375A1 (en) * 2006-06-09 2008-01-24 Stanley David J Method and apparatus for using a cell phone to facilitate user authentication

Also Published As

Publication number Publication date
EP0532228A2 (en) 1993-03-17
DE69230423D1 (en) 2000-01-20
JPH06188877A (en) 1994-07-08
FI924090A0 (en) 1992-09-11
FI924090A (en) 1993-03-14
EP0532228B1 (en) 1999-12-15
DE69230423T2 (en) 2000-07-06
EP0532228A3 (en) 1994-04-13
JP2693348B2 (en) 1997-12-24
FI108590B (en) 2002-02-15

Similar Documents

Publication Publication Date Title
US5159634A (en) Cryptosystem for cellular telephony
EP0532226B1 (en) Method and apparatus for encrypting a set of message signals
EP0903887B1 (en) Cellular telephony authentication arrangement
EP0532231B1 (en) Service provision authentication protocol
US5915021A (en) Method for secure communications in a telecommunications system
US5909491A (en) Method for sending a secure message in a telecommunications system
US7352866B2 (en) Enhanced subscriber authentication protocol
US5515441A (en) Secure communication method and apparatus
KR100687455B1 (en) Method for transferring sensitive information using initially unsecured communication
EP0898397A2 (en) Method for sending a secure communication in a telecommunications system
Wang et al. ID-based authentication for mobile conference call

Legal Events

Date Code Title Description
AS Assignment

Owner name: AMERICAN TELEPHONE AND TELEGRAPH COMPANY

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST.;ASSIGNOR:REEDS, JAMES A. III;REEL/FRAME:005844/0148

Effective date: 19910820

STCF Information on status: patent grant

Free format text: PATENTED CASE

FPAY Fee payment

Year of fee payment: 4

FEPP Fee payment procedure

Free format text: PAYOR NUMBER ASSIGNED (ORIGINAL EVENT CODE: ASPN); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

FPAY Fee payment

Year of fee payment: 8

AS Assignment

Owner name: LUCENT TECHNOLOGIES, INC., NEW JERSEY

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:AT&T CORP.;REEL/FRAME:011658/0857

Effective date: 19960329

AS Assignment

Owner name: THE CHASE MANHATTAN BANK, AS COLLATERAL AGENT, TEX

Free format text: CONDITIONAL ASSIGNMENT OF AND SECURITY INTEREST IN PATENT RIGHTS;ASSIGNOR:LUCENT TECHNOLOGIES INC. (DE CORPORATION);REEL/FRAME:011722/0048

Effective date: 20010222

FPAY Fee payment

Year of fee payment: 12

AS Assignment

Owner name: LUCENT TECHNOLOGIES INC., NEW JERSEY

Free format text: TERMINATION AND RELEASE OF SECURITY INTEREST IN PATENT RIGHTS;ASSIGNOR:JPMORGAN CHASE BANK, N.A. (FORMERLY KNOWN AS THE CHASE MANHATTAN BANK), AS ADMINISTRATIVE AGENT;REEL/FRAME:018590/0287

Effective date: 20061130